CVE-2020-1738

CVSS v3.1

3.9

Low

Vector

AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x through 2.9.x

Description A flaw was found in Ansible Engine when the module package or service is used and the parameter use is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file.

Recommendations For versions 2.7.x, 2.8.x, and 2.9.x, consider specifying the use parameter when using the module package or service to prevent exploitation. As a temporary workaround, restrict access to the ansible facts file to minimize the risk of exploitation. Avoid using the module package or service with untrusted users until a fix is available.

Fix

Argument Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-88

Related Identifiers

ALT-PU-2020-1453

ALT-PU-2020-1490

CVE-2020-1738

GHSA-F85H-23MF-2FWH

OESA-2021-1349

OPENSUSE-SU-2022:0081-1

OPENSUSE-SU-2024:10615-1

OPENSUSE-SU-2024:14244-1

OPENSUSE-SU-2024:14536-1

OPENSUSE-SU-2025:15605-1

OPENSUSE-SU-2025:15753-1

PYSEC-2020-10

SUSE-SU-2020:3309-1

Affected Products

Alt Linux

Ansible-Core

Ansible Engine

Debian

CVE-2020-1738

Weakness Enumeration

Related Identifiers

Affected Products

References · 168